WordPress Security

Passwords are Broken. WebAuthn is the New Standard for Authentication

Verizon’s Data Breach Investigations Report for 2022 reports that over 80% of breaches can be attributed to stolen credentials, and there has been a 30% increase in stolen credentials as a primary intrusion vector versus vulnerability exploitation. What if we just got rid of passwords?

Kathy Zant

Recently, iThemes Security Pro added passkeys as a primary authentication method for WordPress sites. This groundbreaking release is the first of its kind in the WordPress space, and it’s something you should know about. Once again, iThemes Security has shown leadership in providing exceptional security functionality to WordPress users.

In this post, we’ll review the password problem, what WebAuthn is, and why you’ll begin to use this technology everywhere. If you’re a WordPress site owner looking to improve login and security functionality for your end users, you now have the cutting-edge standard for friction-free logins available to you.

This is an article about the innovative Passkey features released in 2022 for iThemes Security Pro, which we’ve continued to develop and improve as Solid Security Pro. Learn more about the Solid rebrand.

passkeys

Understanding the password problem that WebAuthn solves

Our online lives, including the user accounts used by WordPress, have been based on username and password access. This was fine for a while. But then reused passwords, dictionary brute force attacks, and the sharing of breached account data by malicious actors have made our system of password-based security ineffective.

In fact, Verizon’s Data Breach Investigations Report for 2022 reports that over 80% of breaches can be attributed to stolen credentials, and there has been a 30% increase in stolen credentials as a primary intrusion vector versus vulnerability exploitation.

Credentials refers to the username/password combination. And Verizon’s data tells us one thing: passwords are broken. The addition of two-factor authentication (2FA) has been helpful, but unfortunately, the friction and complexity it adds has meant that it has only been adopted by 28% of users. We get it; 2FA adds another layer of friction for attackers, but it also makes logging in harder for users as well. And in the case of SMS-based 2FA, it just isn’t secure enough. Stories of SIM port attacks for high-value targets are not common, but they are catastrophic when they occur.

The FIDO (Fast Identity Online) Alliance has been working towards fixing these problems, and WebAuthn is the specification that has come out of that work.

At this stage of our digital lives, passwords are broken. Thankfully there is a new and better way for authentication, and that is WebAuthn.

What is WebAuthn?

WebAuthn is short for the Web Authentication API. This is a specification written by the W3C and FIDO, with the participation of Apple, Google, Mozilla, Microsoft, Yubico, and others. The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password. Since January 2019, WebAuthn is supported on Chrome, Firefox, Microsoft Edge, and Safari. At the time of this writing, WebAuthn is supported by well over 90% of devices and their browsers.

WebAuthn is part of the FIDO2 framework, which is a set of technologies that enable passwordless authentication between servers, browsers, and authenticators. WebAuthn was standardized by the World Wide Web Consortium.

Now that so many of our devices use biometric authentication, such as FaceID on your iPhone, or fingerprint recognition on your MacBook, Windows Hello, and many others, we have a new method of determining whether or not a login attempt is actually the valid user and not a brute force attack.

How does WebAuthn work?

WebAuthn uses public key cryptography to secure connections between users and the systems they use. Using WebAuthn, you’re able to use a single authentication method, such as the biometrics on your devices or a YubiKey, on any site that supports the standard. This way, as a user, you don’t need to have passwords for every site you visit, just a strong authenticator that works with WebAuthn.

Using this strong authentication instead of a password, we can create a private-public keypair for a website. The private key is stored securely on your device (for example, your phone or computer), and the public key and randomly generated credential is sent to the web server for storage. The webserver and in the case of iThemes Security Passkeys, your WordPress site, can use the public key to verify the user’s identity.

How WebAuthn Works

This public key is not a secret. As such, if the web server or WordPress site is ever hacked, the credentials stored with the public key are useless to an attacker. The public key simply cannot be used without the private key.

To understand how WebAuthn actually works, the FIDO2 Project has some great resources.

WebAuthn changes the security landscape

WebAuthn really is groundbreaking in the world of security. Databases are no longer as attractive to hackers, because the public keys aren’t useful to them. As well, WebAuthn makes credential theft more difficult.

And for end users, WebAuthn eliminates the need to remember multiple usernames and passwords. All a user on a MacBook, for example, needs is their fingerprint to log into their site enabled with iThemes Security Passkeys.

Apple, who has implemented WebAuthn also notes that WebAuthn protects against phishing attacks. A phishing attack that emails users with links to fake login screens would not be effective without passwords. A user using passkeys for account login would not even have a password to provide to a malicious phishing form. The authentication is completely handled by the private key stored on their device communicating with the public key stored on the web server. WebAuthn effectively renders both random phishing attacks as well as targeted spearphishing attacks completely ineffective.

The security game has changed with WebAuthn. While it may take some time for brute force attacks and password theft to become less attractive to malicious attackers, proactive site owners who choose to implement WebAuthn will be leaders in ensuring that their sites are no longer a part of the game.

Frictionless logins make for happier customers

These site owners are also providing an additional valuable feature for their users, customers, students, or whoever is logging into their WordPress sites. Instead of requiring friction-filled multi-factor authentication protocols to ensure that the WordPress site stays secure, WebAuthn implemented by iThemes Security allows site owners to provide a friction-free passwordless login while making their site much less attractive to hackers.

More implementations of WebAuthn are coming

You might look at how life-changing this technology is and wonder why more sites, services and apps are not using WebAuthn. While this technology is groundbreaking, it is also very new. Adding WebAuthn to legacy services will require some refactoring. But as we’ve seen with many new technologies that change the landscape, it is coming. The need to move beyond passwords is a definite driver. And, as more users experience frictionless login capabilities, we’ll begin to see user requests to have passwordless logins expanded.

In this way, iThemes Security has cemented itself as the leader in WordPress security, changing the face of how WordPress users login. iThemes Security Passkeys is the first implementation of WebAuthn in the WordPress space, and it will certainly be the standard going forward.

To get iThemes Security Passkeys for your WordPress site now, you’ll need iThemes Security Pro. Luckily, you can currently get this at a discounted price. You won’t see these low prices for long, however. The sale ends September 30, 2022.

Did you like this article? Spread the word: